Skip to main content
PLATFORM · ÉMILE V2

How Émile works.

Multi-agent orchestration. Proof-of-concept validation. Audit-ready output. The engine behind continuous, human-grade pentesting at machine speed.

PRINCIPLE 01 · PROOF OVER PROBABILITY

Evidence, not alerts.

Security tools flood teams with noise: more alerts, more triage, more wasted cycles. Fleuret operates on a different principle. AI agents explore attack paths creatively, but findings only surface when exploitability is confirmed through controlled validation. If a finding can't be proven with a PoC, it doesn't reach your report.

PROCESS · 04 STAGES

How Fleuret tests like an attacker.

Fleuret doesn't follow a checklist. Émile coordinates dozens of specialist agents, each focused on a specific attack vector. They probe, adapt, and report back. Every finding is validated before it reaches your team.

01 · SCOPE

Define scope and launch

Start a pentest in clicks or via API. Set targets, authentication context, and compliance framework. Émile takes it from there.

INPUTS
3
SETUP
~60s
02 · RECON

Map the attack surface

Automated reconnaissance discovers every exposed endpoint, subdomain, and entry point. The Coverage Graph begins tracking what needs testing.

ENDPOINTS
247
SUBDOMAINS
38
03 · EXECUTE

Execute multi-agent attacks

Specialist agents run real attacks in parallel: auth bypass, injection chains, business logic flaws, privilege escalation. Each agent scoped to one technique, retired after its mission.

AGENTS
12–60
POC ATTEMPTS
47
04 · PROVE & REPORT

Validate and report

Every finding confirmed through a controlled, non-destructive proof-of-concept. Result: audit-ready PDF with DORA and NIS2 mapping, zero false positives.

FINDINGS
17
FALSE POS.
0
ARCHITECTURE · 05 COMPONENTS

Architecture built for depth and trust.

Émile is a coordinated system of specialist agents, deterministic validators, and compliance-native reporting. Designed for production environments at scale.

Émile (Orchestrator)

The supervisor that maintains a global view of the engagement, tracks the Coverage Graph, and directs agents to untested surfaces. Applies deterministic logic to prioritize attack paths and decide when a pentest is complete.

ROLE · SUPERVISORDETERMINISTIC

Attack Agents

Short-lived, focused agents that each target a specific attack vector: authentication, injection, IDOR, business logic. They operate in parallel and are retired after their mission to prevent accumulated bias.

ROLE · SPECIALISTSEPHEMERAL

Validation Engine

Confirms whether a discovered issue is truly exploitable using controlled, production-safe challenges. Reduces false positives to zero by enforcing proof before any finding enters the report.

ROLE · PROVERNON-DESTRUCTIVE

Coverage Graph

Tracks which endpoints, parameters, and auth contexts have been tested. The system of record for "is this pentest complete." Converts directly to exhaustiveness scores in the audit PDF.

ROLE · STATEGRAPH + SCORING

Compliance Reporter

Generates audit-ready output mapped to DORA, NIS2, ISO 27001, and SOC 2. PDF with reproducible PoCs, business impact, prioritized remediation, and offline verification.

OUTPUT · SIGNED PDFDORA · NIS2 · ISO · SOC 2

Why Fleuret

7 CRITERIA · 3 PROVIDERS

FLEURET WINS 4 / 7

THE PLATFORM

Fleuret
Rigor

Depth

Deep

False positives

Zero. Every finding has a PoC.WIN
Economics

Speed

Hours

Cost

€4,000 flatWIN

Frequency

On-demand. Every release.WIN
Fit

Audit-grade report

Adaptability

Both. On every release.

NOT A FIRM

Consulting firm
Rigor

Depth

Deep

False positives

Rare
Economics

Speed

2-4 weeks

Cost

€25,000+

Frequency

Quarterly-Annual
Fit

Audit-grade report

Adaptability

Deep, but slow and expensive.

NOT A SCANNER

Legacy scanner
Rigor

Depth

Shallow

False positives

Many
Economics

Speed

Minutes

Cost

Cheap, but noisy

Frequency

Continuous
Fit

Audit-grade report

Adaptability

Fast, but shallow and noisy.
BY DESIGN · 03 DECISIONS

Fleuret is built differently.

Three design decisions that separate Fleuret from every other tool claiming AI security testing.

01SPECIALISTS

Specialist agents, not one monolithic AI

Dozens of focused agents, each starting fresh with a scoped objective. No accumulated bias. No context collapse. When one agent finishes, another picks up the next attack vector.

agent.authnagent.idoragent.injectionagent.bizlogicagent.privesc+ 18 more
02PROOF

Proof, not probability

Findings ship with the actual, reproducible exploit as evidence. If it can't be proven, it doesn't reach your report. Zero false positives is a design decision, not a target.

reproducible PoCcontrolled challengenon-destructivesigned evidence
03SOVEREIGN

Sovereign EU, model-agnostic

Scaleway France hosting. Open-weight models. Customer data never leaves Europe. Swap models when the frontier moves: the value is in the orchestration, not the model.

Scaleway · Parisopen-weightno data egressmodel-agnostic
PRODUCTION SAFETY · 03 GUARANTEES

Built for production environments.

Fleuret runs against live systems. Three guarantees make that safe: nothing gets broken, everything is logged, every finding maps to a regulation your auditor recognizes.

Non-destructive validation

Exploit validation uses controlled challenges that confirm exploitability without modifying data or disrupting systems. Your production stays untouched.

GUARANTEE · NO WRITESREAD-ONLY POCS

Full observability

Every agent action is logged: who, what, when, from where. The audit trail ships with the PDF. Your compliance team can trace every finding to its source.

TRACE · PER REQUESTSHIPPED WITH REPORT

DORA and NIS2 aligned

Report format maps directly to regulatory pentest requirements. Ed25519-signed PDF for offline verification. Board-deck export for quarterly risk reviews.

SIGNED · ED25519DORA · NIS2
GET STARTED · 15 MINUTES

See agentic pentesting in action.

Fleuret surfaces real, exploitable risk at machine speed. AI agents discover. Deterministic validation confirms. Your team remediates what matters.

15 MIN · CET · NDA-READY

Privacy Settings

This site uses third-party website tracking technologies to provide and continually improve our services, and to display information according to users' interests. I agree and may revoke or change my consent at any time with effect for the future.